Bug 2461606 (CVE-2026-42035) - CVE-2026-42035 axios: Axios: Arbitrary HTTP header injection via prototype pollution
Summary: CVE-2026-42035 axios: Axios: Arbitrary HTTP header injection via prototype po...
Keywords:
Status: NEW
Alias: CVE-2026-42035
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2463436 2463437 2463438 2463439 2463441 2463442 2463444 2463445 2463446 2463447 2463448 2463440 2463443
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-04-24 18:01 UTC by OSIDB Bzimport
Modified: 2026-04-28 14:13 UTC (History)
119 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-04-24 18:01:49 UTC 
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type checking of the data payload, where if Object.prototype is polluted with getHeaders, append, pipe, on, once, and Symbol.toStringTag, Axios misidentifies any plain object payload as a FormData instance and calls the attacker-controlled getHeaders() function, merging the returned headers into the outgoing request. The vulnerable code resides exclusively in lib/adapters/http.js. The prototype pollution source does not need to originate from Axios itself — any prototype pollution primitive in any dependency in the application's dependency tree is sufficient to trigger this gadget. This vulnerability is fixed in 1.15.1 and 0.31.1.
Note You need to log in before you can comment on or make changes to this bug.